NDIS LWF modify packet

When I need to modify an outgoing packet in a LWF I copy and complete the original then make mods to the copy and send it off. This works well but when the modifications end up changing the size of the packet, I’m curious how I can handle the sequence number change.

I notice that in testing, when I make a change to a packet the next outgoing packet has the next expected sequence number of the original packet, not the change. Obviously it makes sense given that the LWF is below the protocol so is there a mechanism to sync the TCP stack so it expects and uses the value based on the changes my filter made? Or am I stuck with having to update all sequence numbers once a size change is made?

Does setting the driver to Modifying vs Filter have any effect?

when you modify the size,do you recalculate the checksums

Yes

Are you saying you change the number of bytes in TCP streams?

Jan

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Monday, January 15, 2018 12:41 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] NDIS LWF modify packet

When I need to modify an outgoing packet in a LWF I copy and complete the original then make mods to the copy and send it off. This works well but when the modifications end up changing the size of the packet, I’m curious how I can handle the sequence number change.

I notice that in testing, when I make a change to a packet the next outgoing packet has the next expected sequence number of the original packet, not the change. Obviously it makes sense given that the LWF is below the protocol so is there a mechanism to sync the TCP stack so it expects and uses the value based on the changes my filter made? Or am I stuck with having to update all sequence numbers once a size change is made?

Does setting the driver to Modifying vs Filter have any effect?

Yes. Also modding UDP packets as well but the same issues don’t apply.

Currently doing this in a LWF because I need L2 access. WFP would be a nice option because I could do this at FWPM_LAYER_STREAM but layer 2 filtering is only available in WFP with Win 8+ and I have to support earlier versions.

I’m assuming I’m going to have to create my own context for each stream I modify and tweak seq/acks as necessary. Or maybe just build a WFP driver to handle this portion. Was hoping to keep everything in a single project though.

Hi John - I am trying to do something very similar here but am a newbie with lwf filters. I have looked thru the site but cannot find how one would copy the original frame and complete the original? Also a little unclear on how to modify the copy and send it. Any pointers would be deeply appreciated. Thanks.